FAQ

From Cooey Wiki
Revision as of 23:13, 3 November 2024 by Marieramsay (talk | contribs)

The DoD CIO has published their own FAQ here: https://dodcio.defense.gov/CMMC/FAQs/

____________________________________________________

The COE Discord and CMMC Reddit pages are free resources led by the community. Some of the most common questions are listed below, along with some of the answers offered.

NOTE: Depending on your own situation, these answers may not work for your environment. Work with your own compliance or legal team to ensure your implementation and interpretation is acceptable for compliance.

How much does compliance cost?

ANSWERS HERE

How do I know if I have CUI?

It should be marked by the person who sent it to you. If it's not, but if your purchase order or contract flow-down requires you to protect the data as if it were CUI, contact your buyer/customer and ask for clarification.

Have you watched Ryan Bonner's video on this?

Are machine files (like CAD models) CUI if I create them as the manufacturer?

ANSWERS HERE

How do I convince management to be compliant?

ANSWERS HERE

What can I expect during a CMMC assessment?

ANSWERS HERE

Do all of my Security Protection Assets (SPA)s need to be CMMC-compliant?

ANSWERS HERE

How do I choose a C3PAO?

ANSWERS HERE

What options are out there for training to become a CCP/CCA?

ANSWERS HERE

What should my System Security Plan (SSP) look like, what should it include, and how long should it be?

ANSWERS HERE

What is the difference between Plan of Actions and Milestones (POAM) and Operational Plan of Action (OPOA)?

Items put on POAM must be closed out within 180 days, and must be one of the allowable items.

Items on a OPOA are items that were acceptable before, but are temporarily not compliant for some reason.

Is Department of Defense (DoD) the only government agency that requires CMMC?

As of right now (November 2024), yes. Department of Energy, and others, may call out NIST 800-171, but at this time, DoD is the only government agency that is poised to require third party assessments to confirm compliance.

What's the difference between a Registered Practitioner (RP) and a CCP?

ANSWERS HERE

Are phones in scope of a CMMC audit?

ANSWERS HERE

What do I do if I'm sent CUI by my customer?

There's not much to do when a sender doesn't follow directions pertinent to your environment.

The best thing is to have policies in place on what to do when it actually happens.

Arguably, small businesses that rely on big primes business have a harder time telling their customers that they're not following directions, and expecting not to become the problem child as a result.

One small business owner says: "Early on in the process, we sent out a memo to all of our aerospace customers, reminding them of CUI sharing responsibilities per flow down. We did it under the guise that we just wanted them to be aware that we were compliant in our practices.

It allowed us the opportunity to remind them on proper sharing practices."

If some small businesses had to file a report for every single time CUI was inadvertently shared unencrypted through email, by its big customer who should arguably know better, those small businesses would have no business.

It's helpful to consider "what is it that we're trying to do here?" It's helpful to get grounded here and there.

You can only control your own environment, and your own team. If the best you can do is over communicate and remain hyper aware once data is in your environment, then you're light years ahead of most.

What should I do if my customer requests my SPRS score?

ANSWERS HERE

Do all of my applications have to be FedRAMP to be CMMC compliant?

ANSWERS HERE